Unknown App

From: Scott Fuhriman (fuhrimans@llix.net)
Date: Fri Jul 22 2005 - 14:57:43 EDT

• Next message: James Moorer: "Re: VoIP testing Help"
• Previous message: Hagen, Eric: "RE: Pen-Testing via TOR"
• In reply to: Sharad Birmiwal: "Re: Unknown App"
• Next in thread: Bartholomew, Brian J: "RE: Unknown App"
• Maybe reply: Bartholomew, Brian J: "RE: Unknown App"
• Maybe reply: Jarmon, Don R: "RE: Unknown App"
• Maybe reply: Andre Protas: "RE: Unknown App"
• Maybe reply: Jordan Del-Grande: "RE:Unknown App"
• Maybe reply: Womack, Quintin T - Raleigh, NC - Contractor: "RE: Unknown App"
• Maybe reply: Hagen, Eric: "RE: Unknown App"
• Maybe reply: thenightweighsheavy@gmail.com: "Re: Unknown App"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 
It is my opinion, I would hope other would agree, that with this particular
issue as originally described the only way to identify and mitigate whatever
is happening is to get local access to the machine and then start performing
some initial forensics like others and myself have suggested by running
utilities that show what processes/PIDs are bound to which ports. This will
allow you to search for the potentially offending file/executable and do
some more investigation from there.

Remember however, the biggest concern is that if there is a compromise, the
box typically has to be completely wiped and installed from scratch to
eliminate the possibility of other backdoors/Trojans that may be residing on
your machine. Many/most rootkits for example have a payload to deliver on
the machine, but also drop various other items and make configuration
changes to allow an attacker other methods to regain access to the
compromised machine. It all depends on what your findings are and the level
of risk an organization is willing to accept to effectively mitigate.

Many administrators or management, that don't have security training or
mindset, overlook this fact and think they have mitigated the issue when if
fact malicious activity continues to occur or the issue originally
discovered resurfaces.

Scott Fuhriman

-----Original Message-----
From: Sharad Birmiwal [mailto:sharadbirmiwal@gmail.com]
Sent: Friday, July 22, 2005 2:31 AM
To: thenightweighsheavy@gmail.com; pen-test@securityfocus.com
Subject: Re: Unknown App

i recently discovered some worm on my network that tried to spread a payload
file 'xxxxxxxx' by binding on port 80. it didn't serve a banner or any
webpages, but http://>/xxxxxxxx worked.

sharad birmiwal

On 7/21/05, Scott Fuhriman <fuhrimans@llix.net> wrote:
>
> The easiest and fastest approach is to use a port mapping utility like
> Active Ports
> (http://www.ntutility.com) or TCPview (www.sysinternals.com) (there
> are others like fport, etc...) which will allow you to see what
> process has port 80 open on the machines.
>
> This will allow you to identify what application/process is utilizing
> that port.
>
>
>
> Scott Fuhriman
>
>

• Next message: James Moorer: "Re: VoIP testing Help"
• Previous message: Hagen, Eric: "RE: Pen-Testing via TOR"
• In reply to: Sharad Birmiwal: "Re: Unknown App"
• Next in thread: Bartholomew, Brian J: "RE: Unknown App"
• Maybe reply: Bartholomew, Brian J: "RE: Unknown App"
• Maybe reply: Jarmon, Don R: "RE: Unknown App"
• Maybe reply: Andre Protas: "RE: Unknown App"
• Maybe reply: Jordan Del-Grande: "RE:Unknown App"
• Maybe reply: Womack, Quintin T - Raleigh, NC - Contractor: "RE: Unknown App"
• Maybe reply: Hagen, Eric: "RE: Unknown App"
• Maybe reply: thenightweighsheavy@gmail.com: "Re: Unknown App"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:37 EDT